Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Security hardening apache, single issue remains |
|
| Author |
|
wex65
Joined: 21 Nov 2021
Posts: 4
Location: USA, WV
|
 Posted: Sun 21 Nov '21 17:41 Post subject: Security hardening apache, single issue remains |
 |
|
I am a fairly novice user but attempting to pass PCI on a Rocky 8.5 server running Apache 2.4.37
I have confirmed all CVEs are patched where possible and reconfigured apache to compensate for those where it isn't patched (unloaded unneeded modules etc).
I am left with a single CVE (CVE-2021-36160) for which I am not patched and there seems to be no mitigation I am aware of.
>>>>From RH>>>
Mitigation
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
So what are my options here? My banking provider insists upon compliance but it seems this CVE has no mitigation possible?? The phrase 'rock and a hard place' springs to mind!
I understand this has been resolved in 2.4.49 so although backporting is the usual approach, why can I not just upgrade in this instance to 2.4.49...or newer, as there is no other mitigation?
Thanks for any input/resources. |
|
| Back to top |
|
Jan-E
Joined: 09 Mar 2012
Posts: 1248
Location: Amsterdam, NL, EU
|
|
| Back to top |
|
wex65
Joined: 21 Nov 2021
Posts: 4
Location: USA, WV
|
| Posted: Sun 21 Nov '21 21:28 Post subject: |
|
|
Yes, I mentioned this in my original post above. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7294
Location: Germany, Next to Hamburg
|
| Posted: Sun 21 Nov '21 22:12 Post subject: |
|
|
| Quote: | | A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). |
mod security can block those harmful requests. |
|
| Back to top |
|
wex65
Joined: 21 Nov 2021
Posts: 4
Location: USA, WV
|
| Posted: Sun 21 Nov '21 22:32 Post subject: |
|
|
| James Blond wrote: | | Quote: | | A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). |
mod security can block those harmful requests. |
Many thanks for the pointer, can you provide any further insight into how this might be done.
Also, is there a reason NOT to upgrade apache to a later version. Server OS is Rocky8.5. I do understand that typically the focus is on backporting rather than moving to a new version.
Paul |
|
| Back to top |
|
wex65
Joined: 21 Nov 2021
Posts: 4
Location: USA, WV
|
| Posted: Mon 22 Nov '21 22:21 Post subject: |
|
|
| For anyone viewing this in the future the solution was even easier...I simply unloaded the offending module (mod_proxy_uwsgi) which was not needed. |
|
| Back to top |
|
|
|
|
|
|
